## UK Patent Application (19) GB (11) 2 093 614 A

- (21) Application No 8105275
- (22) Date of filing 19 Feb 1981
- (43) Application published 2 Sep 1982
- (51) INT CL<sup>3</sup> G06F 11/16
- (52) Domestic classification G4A 12T 13E EC
- (56) Documents cited None
- (58) Field of search G4A
- (71) Applicants
  The Plessey Company
  Limited,
  Vicarage Lane,
  Ilford,
  Essex IG1 4AQ
- (72) Inventors T.H. Hesketh
- (74) Agents R.J. Hart, Vicarage Lane, Ilford, Essex IG1 4AQ.

- (54) Triply redundant microprocessor system
- (57) A triple redundant microprocessor system has three microprocessors MPA, MPB, MPC, each of which includes a memory bus MA, MB, MC, to which is connected a program memory. ROM and a data memory RAM which are addressed via an associated address bus AB. Each microprocessor also includes a data bus PA, PB, PC which is interconnected to the memory

bus by associated majority voting circuits M1, M2, M3 which are also interconnected to the other microprocessor data buses and memory buses. The majority voting circuits function to provide majority voting on the respective microprocessor data bus and memory bus in response to the condition of signals present on the data buses and the memory buses connected thereto

(57) continued overleaf...



GB 2 093 614 A

and to signals generated to the microprocessors. The system provides majority voting on bidirectional data buses only, and incorporates a phase locking arrangement for the internal clock generators CO of the microprocessor and also a hardware/software arrangement for instruction synchronism.



3/5/06, EAST Version: 2.0.3.0



3/5/06, EAST Version: 2.0.3.0

## Microprocessor system

5 The present invention relates to microprocessor systems and in particular to a triple redundant microprocessor system which uses majority voting circuits.

The technique of using triple redundancy with
majority voting to produce reliable systems from
imperfectly reliable components is well known in the
art, and when the technique is applied to commercially available microprocessors certain problems
arise. The first problem is that only those signals that
appear on external pin connections of the microprocessor are available for comparison. The second
problem is that for majority voting to be meaningful,
the microprocessors must operate in exact synchronism, and the third problem is that instruction
synchronism must be maintained.

Accordingly an aim of the present invention is to provide a triple redundant microprocessor which overcomes the above mentioned problems in an efficient and effective manner.

25 According to the present invention there is provided a triple redundant microprocessor system wherein each microprocessor includes a memory bus to which is connected a program memory and data memory which are addressed via an associated

30 address bus, each microprocessor also includes a data bus which is interconnected to the memory bus via associated majority voting circults which are also interconnected to the other microprocessor data buses and memory buses and which function to

35 provide majority voting on the respective microprocessor data bus and memory bus in response to the condition of signals present on the data buses and memory buses connected thereto, and to signals generated by the respective microprocessor.

40 An embodiment of the invention will now be described with reference to the accompanying drawings, of which

Figure 1 shows a block diagram of a triple redundant microprocessor system, and,

45 Figure 2 shows a schematic diagram of a majority voting circuit as used in Figure 1.

Referring Figure 1, three microprocessors MPA, MPB and MPC are shown with all their associated circuitry. The circuitry for each is identical and will be 50 described collectively. Each microprocessor has an associated clock oscillator CO and timer T. Oscillator CO has a clock fail indicator CF and timer T has a sync fail indicator SF. Timer T is used to provide an interrupt signal INT for its associated microprocessor via a majority gate. Each microprocessor has an address bus AB for addressing an associated random access memory RAM, a read only memory ROM and an input/output device I/O all of which

output onto an associated memory bus MA, MB and 60 MC. The memory buses MA, MB and MC are all connected to a respective input of one half the majority voting circuit M1 associated with each microprocessor. The circuit M1 provides suitable gating logic which provides a read error signal RE

65 and an output signal OP1 which is delivered to a

tristate buffer TB1. The associated microprocessor produces a directional control signal RD, the inverse of which is applied to the tristate buffer TB1 and to an error monitoring system SEL. The system SEL

70 also receives the associated read error signal RE and provides an indication for random access memory errors RAME, read only memory errors ROME and input/output errors VOE. The output of the associated tristate buffer TB1 is applied to the associated

75 microprocessor data bus PA, PB or The data bus is applied to a second half of an associated majority voting circuit M2 which is connected also to the other data buses. Majority voting circuit M2 provides suitable gating logic which responds to the signals

80 on the data buses and the circuit M2 provides an output signal OP2 and a write error signal WE. The output signal OP2 is applied to a tristate buffer TB2 together with an inverse directional control signal WR which is originated by the associated microp-

85 rocessor. The output from the tristate buffer TB2 is applied to its associated memory bus MA, MB or MC. The control signal WR and the write error signal WC are applied to an error monitoring system MPE which provides an indication for microprocessor 90 errors.

Referring to Figure 2, a bidirectional majority voting circuit is shown. Eight such circuits are provided for handling the eight bits of information which are present on each bus. The circuit shown is 55 connected for use in association with microprocessor MPA and similar circuits are used for microprocessor MPB and MPC. The microprocessor memory data buses MA, MB and MC are connected to an array of gates consisting of AND gates G1 - G3, 100 NAND gates G4 - G6 OR gate G7, and NOR gates G8,

G9. The data buses PA, PB and PV are similarly connected to an array of gates consisting of AND gates G10 - G12, NAND gates, G13 - G15, OR, gate G16 and NOR gates G17, G18. Gates G1, G5 and G10 and G15 have one of their inputs inverted and gates G6 and G14 have two of their inputs inverted. The output of gate G2 provides the read error signal RE, and the output of gtge G17 provides the write error signal WE. The outputs of gates G9 and G18 provide

applied to tristate buffers TB1 and TB2 respectively.

Gate G1, G4, G10 and G13 are enabled by a signal EN which is produced by the respective microprocessor to enable/disable majority voting. The tristate buffers TB1

115 fers TB1, TB2 receive directional control signals RD and WR respectively which are produced by the respective microprocessor. The output of tristate buffer TB1 is connected to the respective microprocessor data bus PA, PB or PC, and the output of 120 tristate buffer TB2 is connected to the respective microprocessor memory bus MA, MB or MC.

The microprocessor system described overcomes the first mentioned problem, in that any change that occurs within a microprocessor or its memories and peripheral devices will ultimately be reflected in signals on the data bus which connects the microprocessor and its memories and peripheral devices. An adequate method of error detection and correction is obtained by majority voting on the data bus, and the use of dummy read/writes of otherwise

infrequently accessed memory locations will provide timely warning of faults in those locations. Since the data bus is bi-directional, a bi-directional majority voting circuit as discussed is used controlled by the 5 read/write control signals RD, WR from the respective microprocessors.

The majority voting circuit has error output signals RE, WE which are asserted when the input from its own microprocessor system is different from the 10 other two microprocessor systems. The error signals are fed to the respective error counting systems SEL, MPE which operates warning and alarm signals at appropriate error rates. Each microprocessor system therefore monitors its own errors.

In respect of the second problem discussed above, this is overcome by using the internal clock generators CO of the microprocessors and phase-locking them. A varactor diode is connected in series with the frequency determining cyrstal of each microp-20 rocessor which allows the crystal frequency to be pulled by the few-parts per million necessary to obtain synchronism. The bias on the varactor is derived from a conventional phase-locked loop circuit which compares the phase of the clock output 25 of each microprocessor with a reference clock. The reference clock is obtained from the majority of the three clock outputs and continues to be available even if one clock generator fails completely or runs away. The microprocessor system is therefore refer-30 red to the clock generator of median phase. The controlling clock generator is synchronised to itself and the phase-locked loop is provided to be stable in this condition. The no clock and clock out-of-lock condition are detected and are used to drive a clock 35 fail indicator CF.

The above mentioned third problem is related to the second in that microprocessor instruction synchronism is required and is achieved by the use of both hardware and software implementation. The 40 hardware consists of an inerval timer T attached to each microprocessor. The output of the timer T drives one of the program interrupt inputs of the associated microprocessor, via a majority gate. By use of the enable/disable signal EN the majority 45 voting circuits can be made to revert to non-voting operation. The microprocessor outputs are arranged to assume the non-voting state at power on. The software consists of a HALT instruction which is inserted in the main loop of the operating system. 50 The HALT instruction is preceded by intructions to set the non-voting state and is followed by instructions to set the voting state.

When the system is first switched on, the microprocessors MPA, MPB and MPC run asynchronously 55 through an initalisation sequence until they read the HALT instruction whereupon they stop and wait until a timer interrupt signal INT occurs. Since the interrupt signal is obtained from the majority of the three timer outputs, it occurs simultaneously in all three 60 microprocessors, even though the timers were not necessarily initiated at the same instant. By the time the interrupt has occurred, the phase-locked loop will have synchronised and the microprocessors will be launched into an interrupt service routine in clock 65 and instruction synchronism. The service routines

re-starts the timer and returns control to the instruction following the HALT instruction. The microprocessor will now be in the main loop in synchronism and with the voting state set. If one microprocessor gets a few clock cycles out of step, when the other two microprocessors have reached the HALT instruction it will be running independantly in the non-voting state and has an opportunity to catch up. The timer period is chosen so that only a small proportion of the time is spent in the HALT state. If one microprocessor gets a whole instruction cycle out of synchronism the correct op-code will be forced on the data bus by the majority voting circuit during the instruction fetch phase, and synchronism will be regained.

## CLAIMS

- 1. A triple redundant microprocessor system

  85 wherein each microprocessor includes a memory
  bus to which is connected a program memory and a
  data memory which are addressed via an associated
  address bus, each microprocessor also includes a
  data bus which is interconnected to the memory bus

  90 via associated majority voting circuits which are also
  interconnected to the other microprocessor data
  buses and memory buses and which function to
  provide majority voting on the respective microprocessor data bus and memory bus in response to

  95 the condition of signals present on the data buses
  and memory buses connected thereto, and to signals generated by the respective microprocessor.
- 2. A triple redundant microprocessor system as claimed in claim 1 wherein each microprocessor is provided with an arrangement for synchronising the instructions which the microprocessors have to perform, said arrangement includes an interval timer associated with each microprocessor which drives, via a majority gate, a program interrupt input of the 105 respective microprocessor, and the signals which each microprocessor generates include enable/disable signals which dictate the vote/non-vote state of the majority voting circuits, said enable/disable signals being generated by instructions which are 110 Inserted in the main operating loop of the microprocessor system, said instructions consisting of a HALT instruction preceded by an instruction to set the non voting state, and followed by an instruction to set the voting state, and each microprocessor runs 115 through a sequence until each performs the HALT
- instruction, whereupon each microprocessor waits until a timer interrupt signal occurs which is generated by said timers via said majority gate and thereby provide instruction synchronism for the 120 system.
- A triple redundant microprocessor system as claimed in claim 2 wherein each microprocessor includes a frequency clock oscillator which is maintained in synchronism with the other oscillators by a phase-locked loop arrangement which is used to provide a bias voltage for a variable conductive semiconductor device connected in series with each respective oscillator to permit the majority voting circuits to function in synchronism.
- 130 4. A triple redundant microprocessor as claimed

in claim 3 wherein the variable conductive semiconductor device is a varactor diode.  $\label{eq:conductor} % \begin{center} \begin{center}$ 

A triple redundant microprocessor substantially as described with reference to the accompany ing drawings.

Printed for Har Majesty's Stationery Office, by Croydon Printing Company Limited, Croydon, Surrey, 1982. Published by The Pateni Office, 25 Southampton Buildings, London, WCZA 1AV, from which copies may be obtained.